CVE-2026-35351 Overview
The mv utility in uutils coreutils contains an improper preservation of permissions vulnerability (CWE-281) that affects file ownership during cross-filesystem move operations. When moving files between different filesystem boundaries, the utility falls back to a copy-and-delete routine that creates the destination file using the caller's UID/GID rather than preserving the source file's metadata. This flaw can disrupt backup and migration workflows, causing files moved by privileged users (such as root) to unexpectedly become root-owned, potentially leading to information disclosure or restricted access for intended file owners.
Critical Impact
Files moved across filesystem boundaries by privileged users may have their ownership unexpectedly changed, breaking access control and potentially exposing sensitive data or denying access to legitimate owners.
Affected Products
- uutils coreutils (affected versions not specified)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35351 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35351
Vulnerability Analysis
This vulnerability is classified under CWE-281 (Improper Preservation of Permissions), which occurs when software fails to maintain the original security attributes of files or resources during operations. The flaw specifically manifests in the mv utility's fallback behavior when it cannot perform an atomic rename operation.
When a file is moved within the same filesystem, Unix-like systems use the rename() system call, which atomically updates directory entries while preserving all file metadata including ownership. However, when moving files across different filesystem boundaries (such as from an ext4 partition to an NFS mount), an atomic rename is not possible. In this scenario, the mv utility must fall back to a copy-and-delete approach.
The vulnerability arises because the uutils coreutils implementation of this fallback routine creates the destination file with the effective UID/GID of the calling process rather than explicitly setting the ownership to match the source file's original metadata. This means that when a privileged user (such as root) moves files belonging to another user across filesystem boundaries, those files become root-owned at the destination.
Root Cause
The root cause lies in the copy-and-delete fallback implementation within the uutils coreutils mv utility. The code fails to explicitly call chown() or equivalent functions to restore the original file ownership after copying the file content to the new location. Standard file creation inherits ownership from the process credentials, which differs from the expected behavior of preserving the source file's ownership attributes during a move operation.
Attack Vector
This vulnerability requires local access and high privileges to exploit. An attacker with privileged access (or a system administrator performing routine operations) could inadvertently trigger the vulnerability during:
- Backup Operations: Moving user files to backup storage mounted on a different filesystem
- System Migrations: Relocating user home directories or application data across storage volumes
- Storage Reorganization: Moving files between partitions during disk space management
The exploitation scenario involves executing a mv command as root to relocate files across filesystem boundaries. The resulting ownership change could lock out legitimate users from their own files or expose previously protected files to unauthorized access if the new ownership grants broader permissions than intended.
For technical details on the vulnerability mechanism, refer to the GitHub Issue Discussion.
Detection Methods for CVE-2026-35351
Indicators of Compromise
- Files with unexpected root ownership in directories that should contain user-owned files
- Access denied errors for users attempting to access their own files after migration or backup operations
- Audit logs showing ownership changes coinciding with cross-filesystem move operations
- User complaints about inability to access files following administrative file relocations
Detection Strategies
- Monitor file ownership changes using filesystem auditing tools such as auditd with rules targeting chown and file creation events
- Implement periodic scans comparing actual file ownership against expected ownership baselines
- Review system logs for mv operations performed by privileged users that span different mount points
- Use file integrity monitoring (FIM) solutions to track unauthorized ownership modifications
Monitoring Recommendations
- Enable detailed filesystem auditing for cross-mount file operations
- Configure alerts for ownership changes on sensitive directories and files
- Implement automated checks comparing source and destination file metadata during backup verification
- Monitor for privilege escalation patterns where files unexpectedly become accessible to different users
How to Mitigate CVE-2026-35351
Immediate Actions Required
- Verify uutils coreutils version in use and check for available updates from the project maintainers
- Avoid using mv for cross-filesystem operations until a patch is available; use cp -a followed by explicit verification and deletion instead
- Audit recently moved files across filesystem boundaries to identify and correct ownership issues
- Implement wrapper scripts that verify and restore ownership after move operations
Patch Information
Refer to the GitHub Issue Discussion for the latest information on patches and fixes from the uutils coreutils project maintainers. Users should monitor this issue for updates regarding corrected versions.
Workarounds
- Use cp -a (archive mode) to copy files with preserved attributes, then manually verify and remove source files
- Implement a shell script wrapper that captures source ownership metadata, performs the move, and then applies chown to restore original ownership
- For automated backup systems, configure post-copy ownership verification and correction routines
- Consider using GNU coreutils mv as an alternative until the uutils implementation is patched
# Workaround: Safe cross-filesystem move preserving ownership
# Capture original ownership
OWNER=$(stat -c '%u:%g' "$SOURCE_FILE")
# Copy with archive mode to preserve attributes where possible
cp -a "$SOURCE_FILE" "$DEST_PATH"
# Explicitly restore ownership (requires appropriate privileges)
chown "$OWNER" "$DEST_PATH/$SOURCE_FILE"
# Verify ownership before removing source
if [ "$(stat -c '%u:%g' "$DEST_PATH/$SOURCE_FILE")" = "$OWNER" ]; then
rm "$SOURCE_FILE"
else
echo "Warning: Ownership verification failed"
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
